Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnlloyd_13
Contributor II

Created on ‎01-19-2025 07:16 PM

FGT VIP and Firewall Policy Order

hi,

i'm going to configure a new FGT.

is it preferred to put/configure ALL VIP/DNAT rules on top then put ALL FW policy/SNAT afterwards?

can someone advise what's the best practice in FGT?

Labels:
297
0 Kudos
6 REPLIES 6
kmohan
Staff
Staff

Created on ‎01-19-2025 11:03 PM

Hello John

For VIP configuration, you can follow below kb articles:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...

Karthick
271
srajeswaran
Staff
Staff

Created on ‎01-19-2025 11:12 PM

Fortigate performs Destination NAT lookup first then do a policy match and then only source NAT rules comes in to picture, so ideally the order based on the DNAT/SNAT based policies are not going to make any difference.

You may place the policies that is expected to have high number of hits on top , this can help in scenarios where a session re-validation is required.

Below document explains the packet flow in FGT.
https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/p...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
262
johnlloyd_13
Contributor II

Created on ‎01-19-2025 11:49 PM

hi,

thanks for your responses! appreciate it.

one last question, if i got 2x interfaces (using private IP) in FGT that would need to communicate, do i just create 2x FW policy (only allowing specific service, i.e. 443, 53, icmp): one outbound and one inbound WITHOUT NAT?

i.e, port 1: 192.168.1.0/24 <> FGT <> port 2: 172.16.1.0/24

256
0 Kudos
srajeswaran
Staff
Staff
In response to johnlloyd_13

Created on ‎01-20-2025 12:00 AM

Ideally creating policy without NAT is expected to work (assuming FGT is the gateway for these 2 subnets). If the gateway is different you need to enable source NAT.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
249
johnlloyd_13
Contributor II
In response to srajeswaran

Created on ‎01-20-2025 12:06 AM

hi,

yes, the FGT (interface IP) is the default GW for these 2x private subnets.

just to confirm, i'll need to create 2x FW policy for inbound and outbound traffic correct?

242
0 Kudos
srajeswaran
Staff
Staff
In response to johnlloyd_13

Created on ‎01-20-2025 12:10 AM

Thats correct

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
237
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.